With data breaches on the rise and seemingly no end to the damage that a breach can have on an organization, the issue of who pays has heated up as an insurer petitions a court to find it's not required to defend Michaels against a bevy of class action lawsuits resulting from a breach and a retail group challenges a credit union's call to shift greater liability for breaches to retailers.
Safety National, which issued a commercial general liability insurance policy to Michaels, told a U.S. District Court in Texas Wednesday that it shouldn't be required to defend Michaels in the breach cases because those lawsuits don't seek payout for bodily injury or property damages that the policy covers.
The insurer notes that “at least four class action lawsuits” have been filed against the retailer claiming Michaels didn't adequately protect customer data, such as credit and debit card information and asking for damages for the denial of privacy protections, unauthorized charges and bank fees incurred, identity theft costs as well as other costs.
In turn, Michaels petitioned “Safety National provide [it] with a defense” against those claims, according to court documents.
In documents filed with the Court, the insurance provider said Michaels had requested that it provide the retailer with “a defense in the Consolidated Class Action and seeks coverage from Safety National under the Policy for the claims asserted in the Consolidated Class Action” and informed Michaels “ there is no coverage under the Policy for the claims asserted in the class action lawsuits, based upon information provided and available to Safety National.” Wednesday's filing asked the court for relief.
The issue of who pays and how much will grow increasingly important as companies struggle to mitigate the financial damage done by a breach. According to the Ponemon Institute, the average cost of a data breach is $3.5 million. But as Target's December breach proves, organizations often don't have a firm fix on just how much a breach might cost. In fact, associated costs can ripple out for months, even years.
In the past, financial institutions have routinely eaten the costs of fraudulent charges resulting from a breach, but the wind is beginning to shift there, too, as a groundswell of support has grown in favor of putting the onus on retailers.